|
@@ -36,7 +36,15 @@ you about the next steps. Accepted vulnerabilities will
|
|
|
be disclosed via patch level release with accompanying
|
|
be disclosed via patch level release with accompanying
|
|
|
security advisory.
|
|
security advisory.
|
|
|
|
|
|
|
|
-## Rewards
|
|
|
|
|
|
|
+### Reporting Process Overview
|
|
|
|
|
+
|
|
|
|
|
+- Potential security issues can be reported via security@zammad.com.
|
|
|
|
|
+- We evaluate them and provide timely feedback to the reporter.
|
|
|
|
|
+- There may be security releases created if needed, e.g. https://zammad.com/en/releases/6-3-1.
|
|
|
|
|
+- We publish security advisories for every acknowledged issue, like https://zammad.com/en/advisories/zaa-2024-04.
|
|
|
|
|
+- After their publication, we request CVE identifiers to be assigned to the advisories.
|
|
|
|
|
+
|
|
|
|
|
+### Rewards
|
|
|
|
|
|
|
|
Every first reporter of a vulnerability may be credited
|
|
Every first reporter of a vulnerability may be credited
|
|
|
in the related security advisory.
|
|
in the related security advisory.
|
|
@@ -44,10 +52,29 @@ in the related security advisory.
|
|
|
Zammad does not offer financial compensation through a
|
|
Zammad does not offer financial compensation through a
|
|
|
security bounty program.
|
|
security bounty program.
|
|
|
|
|
|
|
|
-## Process Overview
|
|
|
|
|
|
|
+## Security Measures in Development Workflow
|
|
|
|
|
|
|
|
-- Potential security issues can be reported via security@zammad.com.
|
|
|
|
|
-- We evaluate them and provide timely feedback to the reporter.
|
|
|
|
|
-- There may be security releases created if needed, e.g. https://zammad.com/en/releases/6-3-1.
|
|
|
|
|
-- We publish security advisories for every acknowledged issue, like https://zammad.com/en/advisories/zaa-2024-04.
|
|
|
|
|
-- After their publication, we request CVE identifiers to be assigned to the advisories.
|
|
|
|
|
|
|
+Most of our relevant GitLab related configuration related to
|
|
|
|
|
+Ruby security analysis can be seen in [.gitlab/ci/lint.yml](.gitlab/ci/lint.yml#L49).
|
|
|
|
|
+With this, you can also locally reproduce the results.
|
|
|
|
|
+
|
|
|
|
|
+### Dependency Management
|
|
|
|
|
+
|
|
|
|
|
+We use renovate bot to keep our Ruby and JS dependencies up-to-date by automatic merge requests in our internal GitLab. This config is not visible in our source code, but you can see frequent commits from it in our history, like [this one](https://github.com/zammad/zammad/commit/a61b205e4ba41fca1ec7c85323ec6045fc3672e5).
|
|
|
|
|
+
|
|
|
|
|
+### Dependency Security Analysis
|
|
|
|
|
+
|
|
|
|
|
+As you can see in the GitLab job linked above, we use
|
|
|
|
|
+[bundle-audit](https://github.com/rubysec/bundler-audit) to scan for
|
|
|
|
|
+known security issues in Ruby gems.
|
|
|
|
|
+
|
|
|
|
|
+### Static Ruby Code Analysis
|
|
|
|
|
+
|
|
|
|
|
+We use [brakeman](https://brakemanscanner.org/) to scan for
|
|
|
|
|
+insecure Ruby code constructs, along with an [ignore file](config/brakeman.ignore)
|
|
|
|
|
+that lists known exceptions.
|
|
|
|
|
+
|
|
|
|
|
+### Static JS Code Analysis
|
|
|
|
|
+
|
|
|
|
|
+We use the [SonarJS](https://github.com/SonarSource/SonarJS) plugin for
|
|
|
|
|
+ESLint for this.
|
Martin Gruner